Take the example of the recent ASP.NET (and Java Server Faces) vulnerability disclosure at a Hacker conference in Brazil. It's my understanding that the poet tool was demonstrated before Microsoft was even aware of the issue.

Are there laws to protect legitimate customers from people who encite the hacker community to start hacking all the ASP.NET servers they can? Who knows how many legitimate businesses were compromised between when the tool was demoed and the patch was applied to the server.

You've probably been told this before by another pedant like me, but please don't confuse hacker with cracker.
– imgx64Oct 13 '10 at 8:44

5

@Maker: 33 questions, 0 accepted answers. It only takes a second or two reward those who kindly answered you questions.
– spenderOct 13 '10 at 11:52

6

@spender: Not on programmers.SE; there is no point to accepting a subjective answer to a subjective question.
– imgx64Oct 13 '10 at 15:17

1

@spender: Also there are many on meta who think the "accepted" answers should be removed from this site. I do thank people by +1 almost every answer, even if I don't leave a comment saying so.
– goodguys_activateOct 13 '10 at 19:42

4 Answers
4

Who knows how many legitimate businesses were compromised between when the tool was demoed and the patch was applied to the server.

Who knows how many legitimate business were compromised before the tool was demoed? You seem to be making the assumption that because of this demo at a conference in Brazil that that was the first any bad guys heard of it.

Where would the laws apply? If the tool was demoed in Brazil, presumably it would have to be Brazilian law that is applied. So even if there was a U.S. law that protected companies, it wouldn't have helped because you can't prosecute someone in Brazil for violating a U.S. law.

You might be able to get a law like that passed in the U.S., and probably a few other countries as well (I'm sure you'd be able to get my country, Australia, to pass such as law as well, with a bit of lobbying). But good luck getting an equivalent one passed in China, Russia, or one of the many other countries where "hacking" is more prevalent anyway.

In the general case, no. It is not illegal to discover a security issue. It is not illegal (and I argue it should not be) to discuss this with other people before notifying the vendor.

It is (in many, probably most jurisdictions) illegal to use a security flaw, without prior permission of the owner of the machine you're using it on.

However, if you ask "is it ethical", I'd have to hedge my answers a bit more. It can be ethical, it can be unethical, it depends on many variables.

You also have the problem of "what to do if the vendor is not responsive". This is, from my understanding, becoming less common these days, but there's certainly been multiple cases in the past when security researchers have notified a vendor of an existing security hole and the vendor has done nothing for years, until they've finally published the research (sometimes, but not always, prompted by seeing the security hole used by cracking toolsets in the wild).